fix: conceal sensitive domain information in auth error messages (#17132)

## Summary - Removes exposure of allowed domain list in OIDC authentication error messages - Replaces detailed error messages with a generic message that doesn't expose internal domains - Adds "Please contact your administrator" to guide users seeking assistance - Addresses security concern where third-party contractors could see internal domain information ## Test plan - Test accessing Coder with an email that doesn't match allowed domains - Verify error message no longer displays the list of authorized domains - Verify message now includes guidance to contact administrator Fixes issue related to domain information exposure during authentication. Linked issue: https://github.com/coder/coder/issues/17130 🤖 Generated with [Claude Code](https://claude.ai/code)
2025-07-03 16:13:58 +00:00 · 2025-03-27 13:41:01 +00:00
parent 0eec78d714
commit 5bd2a3f190
2 changed files with 75 additions and 2 deletions
--- a/coderd/userauth.go
+++ b/coderd/userauth.go
@ -1358,7 +1358,7 @@ func (api *API) userOIDC(rw http.ResponseWriter, r *http.Request) {
 		emailSp := strings.Split(email, "@")
 		if len(emailSp) == 1 {
 			httpapi.Write(ctx, rw, http.StatusForbidden, codersdk.Response{
-				Message: fmt.Sprintf("Your email %q is not in domains %q!", email, api.OIDCConfig.EmailDomain),
+				Message: fmt.Sprintf("Your email %q is not from an authorized domain! Please contact your administrator.", email),
 			})
 			return
 		}
@ -1373,7 +1373,7 @@ func (api *API) userOIDC(rw http.ResponseWriter, r *http.Request) {
 		}
 		if !ok {
 			httpapi.Write(ctx, rw, http.StatusForbidden, codersdk.Response{
-				Message: fmt.Sprintf("Your email %q is not in domains %q!", email, api.OIDCConfig.EmailDomain),
+				Message: fmt.Sprintf("Your email %q is not from an authorized domain! Please contact your administrator.", email),
 			})
 			return
 		}